ASA, conduits, ftp-data

[dozier]

Alright, a little curious about something here.

*Things are currently working, but I want to know how/why*

I have a host on the inside network that regularly initiates FTP connections to a host on the DMZ network. Doesn't the 'fixup protocol ftp 21' statement eliminate the need to expressly permit the ftp-data connection (on port 20) that originates from the ftp server on the DMZ via conduits or access-lists? Isn't that a part of the ASA? I ask because there is currently a conduit allowing TCP connections inbound back to this inside host from the ftp server on the DMZ and it is taking hits. Would these FTP connections still work if I removed the conduit?

Thanks.

 

[chicocouk]

My understanding is yes, they should still work, providing the host can make the initial port 21 connection. The traffic on port 20 should be expected and allowed by the fixup command. Why the conduit command is registering hits i couldn't say

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP

 

[dozier]

Thanks for the sanity check.

Theoretically it could be some other kind of connection that's generating the hits since the conduit is for any tcp connection, not specifically ftp. Everytime I do a 'show conn' though all I see are the ftp connections, so it looks like that is in fact what's increasing the counts.